\chapter{Intrusion Detection Systems Using Virtualization}
\label{cha:IDSvirtualization}
 

As discussed in the earlier chapters, there are many difficulties in implementing Intrusion Detection Systems. Some of these Difficulties been, The Compromise of one application on the System, will lead to the compromise of the whole System as well as the HIDS. NIDS does solve this problem to some extent but it doesn't allow the NIDS to inspect what is really happening inside the Monitored Host making the Intrusive activities undetectable.

The successful deployment of Intrusion Detection Systems need a architecture which provides both good visibility into the Monitored Host as well as strong isolation for the IDS.

\section{What Virtualization Offer for IDS }

Virtualization provides a solution for the above conflicting requirements of Intrusion Detection Systems or any Secure System and provides a Architecture on which both the Isolation and Visibility properties can be achieved. Thus in this Chapter I will be discussing how Virtualization can be used for the implementation of a successful IDS.

The IDS using Virtualization will have a General Architecture as follows. The Monitored Host System will run as a Virtual Machine running on the Hypervisor. The Intrusion Detection System will run on a different Virtual Machine on the same Hypervisor. There will be some additional supporting Security Systems that make our IDS more secure, each of these will be run on Virtual Machines.


Properties of an Ideal Intrusion Detection System. \cite{garfinkel:vmi} , \cite{paladin}
\begin{description}
\item[Isolation    ] - The IDS and the Monitored Host runs on different VMs. This will provide the \emph{isolation} needed.
The IDS and the Host will be on different hardware protection domains, not allowing different VMs to access or modify each other. Even if the Monitored Host is compromised, it would not be able to compromise the IDS.


\item[Inspection   ] - The Hypervisor also provides the ability to monitor the hardware state and events of the Virtual Machine that a Monitored host is running on. This propery provides that visibility benefits that a HIDS would provide.

\item[Interposition] - Each VM executes its privileged operations through the Hypervisor, hence the Hypervisor has the ability to monitor both hardware  and software level events. This also gives the added benefit of providing hardware access control.

\end{description}





 
\section{Implementation of IDS using VMM }
\label{sec:implIDSusingVMM }
Virtualization Provides  the isolation property needed for the IDS. To provide Inspection and Interposition there needs to be some modification for the Hypervisor.

Modifications have to be done with severe caution as it could reduce the Secure properies Inherent to Hypervisors. The successful introduction of bug free changes to the hypervisor can provide the hypervisor great functionality required. The Ideal Modification to the Hypervisor should provide the secure visibility into the Host's State as well as the ability to monitor any event fired by the Hosts.

Garfinkel in his Livewire Intrusion Detection System has proposed a well accepted model on which IDS can be created using Virtualization  \cite{garfinkel:vmi}. This Survey will be mostly based on his architecture. His approach inspects a virtual Machine from outside for the purpose of analyzing the software running in it. This approach is called Virtual Machine Introspection (VMI).

The general Architecture of the IDS will be as follows,

The IDS will be running on the more Privileged VM which would be the Dom0 of Xen, the Monitored Host will be another Virtual Machine a DomU on Xen. An Architecture Diagram of the Following is shown in Figure \ref{fig:vmiids}, which is based on the Architecture that Livewire uses \cite{garfinkel:vmi}.

\begin{figure}
\caption{ IDS VM Architecture \label{fig:vmiids}}
\begin{center}
\ifpdf
    \includegraphics[width=4in]{images/VMIIDS.jpg}
\fi
\end{center}
\textsl{IDS architecture based on Virtualization}
\end{figure}

(Normally Dom0 has the administrative powers only to start, reboot, shutdown and suspend the DomU.

To gain the properties of Interposition and Inspection the approach would be as follows,)

\subsection{Virtual Machine Access Library}

For the Visibility to be provided to the IDS VM, it needs a communication Mechanism to communicate with the Hypervisor. The Hypervisor is introduced with a 'VM access Library'. This provides the IDS to send commands to the Hypervisor which will respond appropriately.
The IDS VM should be able to get replies for the following commands to implement Detection and Prevention of Intrusions.
\begin{description}
\item[Inspection Commands]
Used to get the VM's State such as memory, registers and I/O device flags
\item[Monitor Commands]
Sense when machine events occur, and notify by delivering events to the IDS VM.
\item[Counter Measure Events]
Used to instruct the Monitored VM how to counter attack.
\end{description}


\subsection{OS Interface Library}
The Hypervisor has access to the Hardware level state of the VMs. This Hardware state has to be converted to the real software state represented by higher level OS structures. These software state enables the analysis of it.
This Conversion to OS structures is done by the OS Interface Library. This basically gives the view of a really running OS to the IDS, using the Hardware State.


\subsection{Policy Engine}
This is a Module that is implemented by any IDS. This component is the real Inspector of Intrusions.
Just like any IDS, the Virtualization based IDS also requires the Policy Engine.




Policy Engine interprets the System State using the OS Interface Library and determines if the System in being Compromised.

To implement the policy Engine we can either create a Policy Engine of our Own or we can use existing Intrusion Detection Systems and provide interface to the Existing IDS to access the OS Interface Library and do the detection.




Policy Engine will have Modules each doing a specific check. The modules will be fired either periodically to check states or will execute when a particular Event is fired in the Monitored VM.
To detect and report whether a compromise has occurred the Host's properties have to be examined. More the properties that can be examined increases the ability to detect a compromise successfully and minimizes the chances for a malicious party to mimic normal host behavior and evade the IDS.
Many Detection  Mechanisms have to be in place to properly detect most of the the attacks available today. With the discussed architecture it will be possible to implement these successfully. Some of the detection Mechanisms are as below

\subsubsection{Hidden Process Discovery}
\ref{item:processHiding} Hidden malicious Processes can be detected by directly inspecting the hardware and kernel State, and by querying through user level Programs(i.e. ps ) at the same point in time.
If there are differences in the process lists, it can be considered as a tampering.

\subsubsection{Process Integrity Detector}
The modifications done to a process can be detected by keeping secure hashes of the Original process and then periodically obtaining secure hashes again and checking with the original. Due to pagging the process might not be in the memory entirely therefore talking a per-page secure hash will lead to the detection of tampering with the processes.

\subsubsection{Socket Detector}
The kernal can be queried about all the sockets open and then the open sockets can be analysed to see if there are any unwanted sockets open.

\subsubsection{Memory Access Enforcer}
This works by marking sensitive memory locations as read only through the Hypervisor. If these sections are tryed to be modified a event will fire and let the IDS know about the access. The IDS in turn will invoke the necessary action to prevent the modification.



\subsection{Addtional Protection}
Even with all the above Detection Mechanisms in place, there is a possibility that some of the attacks can creep in. In order to stop these unaccounted attacks and Provide additional Protection its possible to introduce other Intrusion Detection approaches by running the new Detection mechanism in a new VM and providing it too with a "OS Interface Library" so that it can independently carry out its detection within the secure environment of Virtualization. The performance aspect of Introducing such a extensible architecture has to be explored. If it proves feasible will be a avenue to create a "PERFECT" IDS.
As an example it would be possible to introduce a Network Based IDS in a new VM and let it monitor all the network traffic, while providing the visibility into the process that is transmitting the traffic as well.


The above discussed Detection mechanisms will mostly detect an attack over the network, Yet its possible that a person having physical access to the System wants to misuse the Computer System, And installs a program as described below to send out information over the network. To make it undetectable for the IDSs they employ a approach where data is transmitted only when there is Human Activity happening on the Machine. (many spyware programs use this approach these days to hide from Spy ware Blockers).

There is a System based on Virtualization that has been created to counter the above sort of information Leakage called Siren \cite{siren}.
What siren does is It injects specially crafted Human input to mimic normal user activity and determines ahead of time the exact sequence of network messages it expects for the above input. Finally at detection phase it injects the mimicked User inputs and compares the actual network traffic with the expected. The additional traffic available in the actual traffic can be flagged as malicious Traffic.


Above kind of Detection Systems too can be included in our discussed IDS, by adding these new Detection Systems in a new VM.





\subsection{Prevention}

Ones the Policy Engine Detects a malicious activity, then based on the attack that has happened the policy engine can activate the appropriate Prevention Activity that would revert the attack and put it back in the compromised state.

In addition to these Prevention Provided through the policy Engine, its possible to employ some of the many Prevention Mechanisms available.

One of the Prevention Systems that can be employed together with the above IDS is SVFS ( Secure Virtual File System ) that is designed to protect sensitive files even in the event of a compromised OS \cite{protSensFiles}. The Architecture of SVFS is shown in Figure \ref{fig:svfs}.

\begin{figure}
\caption{ Protecting sensitive Files using SVFS \label{fig:svfs}}
\begin{center}
\ifpdf
    \includegraphics[width=4in]{images/svfs.jpg}
\fi
\end{center}
\textsl{Architecture of SVFS which protects sensitive files using Virtualization}
\end{figure}

Data Virtual Machine (DVM) mediates sensitive file access requests from all over the other VMs. The normal files will reside on the VM itself, while the sensitive files will be stored in the DVM and approved for access by the the DVM. This will prevent the modification or access to any of the Sensitive files even if the Monitored Host is Compromised.

If there is a possibility of the IDS VM also getting attacked, its possible to put the sensitive files of the IDS VM also in the DVM.



There are also preventive Systems that operate by keeping keep track of the malicious System tree. Ones a malicious activity takes place the whole process sub tree is removed making the system safe again \cite{paladin}.



\subsection{Challenges in the Virtualization based IDS}
\begin{itemize}
\item
Virtualization does cause a performance degration, as well as the IDSs. Therefore there is a possibility of a decrease in performance in the system.
\item
Virtualization requires that each VM is given sufficient memory and disk space, this will require a good deal of physical resources \cite{VmSecSys}.
\item
There is a semantic gap between the VMs and the Hypervisor. The Hypervisor provides a low level, hardware state of the VMs while the IDS requires a much high level view of the state ( Hypervisor provides disk blocks rather than the file ). Obtaining the appropriate level of abstraction would need a considerable effort. This is the functionality provided by the "OS interface library".

\item
Attackers or Malicious Software can detect Virtual Machines and avoid them entirely \cite{VMattacks}.  

\item
The main pillar of the IDS discussed in this Survey is the Secure base the Hypervisor provides, yet there is some possibility of attackers being able to compromise the Hypervisor as well \cite{HypMalware}.


\end{itemize}






